The Complaint

The complainant borrowed money from a finance company in October 1998 and started to be in arrears with payment in October 2002. His loan account was subsequently written off in April 2003. In May 2003, the complainant and the finance company entered into a scheme of arrangement for repayment of the loan.

Later, the complainant got his credit report from a credit reference agency ("CRA") and found that the finance company had not reported the information of the scheme of arrangement to the CRA. Moreover, even though the complainant paid his debt every month on time according to the scheme of arrangement, the finance company still accumulated the number of days in arrears and reported the information to the CRA every month. Users of the complainant's credit report would be misled by such data that the complainant was still in arrears with payment after the scheme of arrangement had been made in May 2003.

Outcome

The finance company explained that as its staff did not have enough knowledge of the Code of Practice on Consumer Credit Data (the "CCD Code"), they had not reported the information of the scheme of arrangement to the CRA according to the requirements of the CCD Code. Moreover, due to technical restrictions of its accounting system and customer credit data system, the finance company had not terminated the calculation of accrued number of days in arrears of the complainant's original loan account after his scheme of arrangement account became effective. Thus, the credit data of the complainant reported to the CRA were inaccurate.

According to the findings of the Commissioner, the finance company mistakenly believed that the CCD Code had not been effective yet, so it had not reported the information of the complainant's scheme of arrangement account to the CRA. This revealed that the finance company lacked the knowledge of relevant laws and regulations when handling consumer credit data, and its weak internal supervision also led to the report of incorrect credit data to the CRA.

Furthermore, when finance company calculated and reported the complainant's credit data, it had not taken the changes of the status of the complainant's loan account into consideration and made adjustments accordingly in the report of credit data. Therefore, after the complainant's original loan account had been written off and restructured, his past arrears were still accumulated and wrongly shown on his credit report.

In view of the above, the finance company had contravened clause 3.4 of the February 2002 version of the CCD Code, clauses 2.5 and 2.7 of the June 2003 version (the latest version), as well as DPP 2(1).

An enforcement notice was served on the finance company directing it to correct the complainant's credit data with the CRA, to devise policy of reporting information to CRA on customers' scheme of arrangement accounts and to ensure implementation of the policy by its staff. Moreover, by means of effective supervision, annual audit and system support, the finance company needs to ensure timely and accurate reporting of customers' credit data to the CRA in accordance with the requirements of the CCD Code.

The finance company has complied with the enforcement notice.

The Complaint

An unsuccessful insurance applicant complained to t h e Commissioner against an insurer for retaining his application data after rejection of his application.

Outcome

The Commissioner found that it was the practice of the insurer to retain personal data of unsuccessful insurance applicants for an indefinite period of time.

The company stated that it was necessary for them to retain the data indefinitely for the purpose of (i) complying with the various legal requirements for keeping books of accounts; (ii) for complying with the guidelines and circulars of the regulatory authorities; (iii) for handling potential litigations, enquiries and complaints and (iv) for checking completeness and accuracy of the information in the event of future applications from the same applicant.

Investigation by the Commissioner revealed that unsuccessful insurance applications generally comprised of two scenarios, the first is where money transaction is involved (e.g. where premium is paid together with the application) and the second is where there is no money transaction involved.

The Commissioner sought comments from the Hong Kong Federation of Insurers ("HKFI") and Office of the Commissioner of Insurance ("OCI") regarding the needs for retaining the data of unsuccessful insurance applicants and the period of retention; and studied the requirements of various ordinances which require records of business transactions to be kept.

In the former case where books of account have to be kept, the Commissioner found it justifiable that the relevant data be kept for the statutory period prescribed by the applicable ordinances. However, where no money transaction is involved, the Commissioner does not accept that the company should retain the personal data indefinitely simply for the reason that the person may apply in future as otherwise, it would tantamount to giving general sanction for retention of personal data indefinitely by any service provider. For the purpose of handling any future enquiry, complaint or legal action that may be lodged, a reasonable period of retention suffices. Insofar as compliance with the guidelines and circulars issued by HKFI and OCI is concerned, it is to be noted that these should not be applied out of context and they should not be construed as derogating the data user's duty to comply with the requirements of DPP2(2).

Premised on the above, the Commissioner took the view that for unsuccessful insurance applications where money transaction is involved, the optimal period of retention of the personal data concerned should generally not exceed 7 years. For cases where no money transaction is involved, the Commissioner found that an optimal retention period of two years generally sufficed for fulfilling the various purposes mentioned by the insurer.

An enforcement notice was served on the insurer requiring it to erase the personal data which had been retained longer than the optimal periods recommended by the Commissioner (unless special circumstances exist, justifying a longer retention period). The company complied with enforcement notice and erased more than 7,000 records.

The Complaint

A patient made a request to a public hospital for copies for 15 X-ray films taken during her hospitalization in 2000. The hospital could not locate six of the films requested.

Outcome

An investigation undertaken by the Commissioner revealed that all X-ray files were stored in the hospital's X-ray film storage room; the lending and borrowing of the X-ray films were overseen by a designated department of the hospital and recorded in the hospital's computer system; X-ray films were placed in different envelopes according to their types and time of examination, each envelop was numbered and the types, dates and number of films were marked on the envelop; on return of the borrowed X-ray films, designated staff would only verify the information marked on the envelop but not the contents.

The Commissioner opined that by failing to verify the number of returned films and that all the films in the returned envelop belonged to the particular patient, the hospital had failed to protect the X-ray films against loss during the process, thereby contravened DPP4 of the Ordinance.

An enforcement notice was served upon the hospital requiring it to take steps to: (1) ensure the borrowers acknowledge receipt of the X-ray films; (2) establish protocols on loan period, renewal of loan period and overdue notice for the borrowed X-ray films; (3) require the relevant staff to check, upon return of the borrowed X-ray films, that the returned films are those belonging to the relevant patient and that no borrowed item is missing.

The hospital complied with directions (1) and (2) but appealed to the Administrative Appeals Board against direction (3). The appeal decision is pending.

The Complaint

A database containing personal data of about 600 policyholders of an insurance company including the customers' names, addresses, telephone numbers and insured amount had been leaked and was accessible by the public on the Internet via a website.

Outcome

An investigation carried out by the PCPD revealed that the leakage of personal data was caused by the inappropriate granting of access right to the personal data concerned by the insurance company to its insurance agent. The agent uploaded and stored the concerned personal data in a web file server at his home, and as a result, the data was accessible to unauthorized persons through the Internet search engines.

The Commissioner found that the guidelines issued to the insurance agents and control measures taken by the insurance company were substantially insufficient to guard against unauthorized access, transfer, storing and taking away of policyholders' personal data from office premises, which led to the happening of the incident. Taking into account the sensitivity of the data involved and the harm that is likely to be inflicted upon the data subjects on accidental data leakage, the insurance company was found in breach of the requirements of DPP4 in failing to take sufficient measures to safeguard the personal data of its policyholders.

An enforcement not ice was i s sued, and in compliance the insurance company implemented corresponding safeguard measures, these included reviewing its operation procedures and strengthening controls over the access, transfer and security of policyholders' personal data, particularly to specify clearly the circumstances under which processing of policyholders' personal data out of the office premises would only be allowed.

The Complaint

A school teacher submitted two data access requests (the "DARs") to a school for copies of his past performance appraisal reports and records relevant to his past promotions in the school (collectively the "Requested Data"). However, the school refused to comply with the DARs by relying upon the exemption provision of section 53 of the Ordinance.

Outcome

The school explained that since they encountered reduction of classes in recent years, they have to devise a list of surplus teacher (the "List") for "staff planning" proposal to be submitted to the governing body when required. The schoolmistress took the view that teachers' past performance appraisals and promotion records were relevant data to be considered for devising the List and for making the "staff planning proposal", it was therefore necessary to withhold the Requested Data from the complainant, in reliance of the exemption provisions of section 53 of the Ordinance.

After investigation, the Commissioner found that the school would only be required to compile the List if so required by the governing body and at the time of their receipt of the DARs, no such request was made by the governing body and hence no "staff planning" as averred to by the school was yet in sight. Moreover, the promotion records and past appraisal reports are no more than routine personnel records compiled or created in the ordinary course of employment. They are not ex facie personal data relevant to "staff planning" as contemplated under section 53 of the Ordinance.

The Commissioner found that the school was not entitled to rely on the exemption provisions of section 53 of the Ordinance in not complying with the DARs.

The Commi s s ioner i s sued an enforcement notice against the school and consequently, the school provided the Reques ted Data to the complainant immediately and also devised operational procedures in respect of the handling of data access requests made by individuals, in particular, the school teachers.

The Complaint

The complainant under the arrangement of his employer, a solicitors' firm, attended a doctor's clinic for a medical examination. On the same day, he made a data access request ("DAR") to the doctor for a copy of the correspondence regarding him sent to the doctor by his employer. The complainant complained that he had not received a substantive reply from the doctor.

Outcome

Investigation by the Commissioner revealed that after the doctor had received the DAR, he sought advice from the complainant's employer on the matter. Since the complainant's employer had specifically asked the doctor not to disclose the correspondence on the ground of legal professional privilege, the employer controlled the use of the data and prohibited the doctor from complying with the DAR to provide a copy of the correspondence to the complainant. The doctor was therefore entitled to rely on section 20(3)(d) of the Ordinance to refuse to comply with the DAR.

However, the doctor failed to inform the complainant in writing about the refusal to comply with the DAR within 40 days after receiving it in contravention of section 21(1) of the Ordinance.

An enforcement notice was served on the doctor requiring him to inform the complainant in writing of his refusal to comply with the DAR for a copy of the correspondence; the reasons for the refusal; and the name and address of the other data user concerned in accordance with section 21(1) of the Ordinance. The doctor subsequently complied with the enforcement notice.